So, this October, when the Church Auditor gets up, if he says "With the exception of BYU, all Church entities are in compliance", it could very well be me that was the cause of the wording.
2 church auditors showed up today to take a peek at our main DB servers. One guy was an Oracle guy, one guy was a systems guy. The DB guy seems to know what he's doing, I don't have to deal with him. The systems guy, however, appears to be a pencil head. He gave me a list of commands he wanted output from, I looked over them, and crossed 4 of them out. (I think they are AIX commands, and don't exist in HPUX.) I told him that the stuff he wanted to see wouldn't tell him much of anything, his response was "it's a start..."
Well, their timeframe is 3-4 weeks to "finish", whatever that means. (Not actually sure of his objectives.) The auditor guy will be gone next week, I will be gone the week after (Ft. Collins, CO), then we have a load test the week after. There's no way that their timeframe will get met.
On top of that, I don't like auditors that just stick their noses in a book, decide that they have good questions to ask, then ask them. (Hense the pencil head label.) If he came in, let me know what he wanted to see, and (possibly) understood what I showed him, we would be done in 2 or 3 hours. As it is, this will drag out into weeks of stuff.
If they really want a good systems auditor, they should hire a systems guy. The systems guy walks in, asks me "what are you doing for security?" I talk to him about it for 15-30 minutes, he goes away. A couple of days later, he comes back with well thought out, applicable, useful questions based on the previous conversation. Then the 3rd meeting involves looking over files on the systems related to security. Audit over.
I am sure #1 on the audit report is this: "John is difficult to work with." #2 - "The systems are fine."
No comments:
Post a Comment